230 likes | 242 Views
Block Ciphers. Block Ciphers. Modern version of a codebook cipher In effect, a block cipher algorithm yields a huge number of codebooks Specific codebook determined by key It is OK to use same key for a while Just like classic codebook Initialization vector (IV) is like additive
E N D
Block Ciphers Block Ciphers 1
Block Ciphers • Modern version of a codebook cipher • In effect, a block cipher algorithm yields a huge number of codebooks • Specific codebook determined by key • It is OK to use same key for a while • Just like classic codebook • Initialization vector (IV) is like additive • Change the key, get a new codebook Block Ciphers 2
(Iterated) Block Cipher • Plaintext and ciphertext “units” are fixed sized blocks • Typical block sizes: 64 to 256 bits • Ciphertext obtained from plaintext by iterating a round function • Input to round function consists of key and the output of previous round • Most are designed for software Block Ciphers 3
Multiple Blocks • How to encrypt multiple blocks? • A new key for each block? • As bad as (or worse than) a one-time pad! • Encrypt each block independently? • Make encryption depend on previous block(s), i.e., “chain” the blocks together? • How to handle partial blocks? Block Ciphers 4
Block Cipher Modes • We discuss 3 (many others) • Electronic Codebook (ECB) mode • Encrypt each block independently • There is a serious weakness • Cipher Block Chaining (CBC) mode • Chain the blocks together • Better than ECB, virtually no extra work • Counter Mode (CTR) mode • Like a stream cipher (random access) Block Ciphers 5
ECB Mode • Notation: C = E(P,K) and P = D(C,K) • Given plaintext P0,P1,…,Pm,… • Obvious way to use a block cipher is EncryptDecrypt C0 = E(P0, K), P0 = D(C0, K), C1 = E(P1, K), P1 = D(C1, K), C2 = E(P2, K),… P2 = D(C2, K),… • For a fixed key K, this is an electronic version of a codebook cipher (no additive) • A new codebook for each key Block Ciphers 6
ECB Cut and Paste Attack • Suppose plaintext is Alice digs Bob. Trudy digs Tom. • Assuming 64-bit blocks and 8-bit ASCII: P0 = “Alice di”, P1 = “gs Bob. ”, P2 = “Trudy di”, P3 = “gs Tom. ” • Ciphertext: C0,C1,C2,C3 • Trudy cuts and pastes: C0,C3,C2,C1 • Decrypts as Alice digs Tom. Trudy digs Bob. Block Ciphers 7
ECB Weakness • Suppose Pi = Pj • Then Ci = Cj and Trudy knows Pi = Pj • This gives Trudy some information, even if she does not know Pi or Pj • Trudy might know Pi • Is this a serious issue? Block Ciphers 8
Alice Hates ECB Mode • Alice’s uncompressed image, Alice ECB encrypted (TEA) • Why does this happen? • Same plaintext block same ciphertext! Block Ciphers 9
CBC Mode • Blocks are “chained” together • A random initialization vector, or IV, is required to initialize CBC mode • IV is random, but need not be secret EncryptionDecryption C0 = E(IV P0, K), P0 = IV D(C0, K), C1 = E(C0 P1, K), P1 = C0 D(C1, K), C2 = E(C1 P2, K),… P2 = C1 D(C2, K),… Block Ciphers 10
CBC Mode • Identical plaintext blocks yield different ciphertext blocks • Cut and paste is still possible, but more complex (and will cause garbles) • If C1 is garbled to, say, G then P1 C0 D(G, K), P2 G D(C2, K) • But P3 = C2 D(C3, K), P4 = C3 D(C4, K),… • Automatically recovers from errors! Block Ciphers 11
Alice Likes CBC Mode • Alice’s uncompressed image, Alice CBC encrypted (TEA) • Why does this happen? • Same plaintext yields different ciphertext! Block Ciphers 12
Counter Mode (CTR) • CTR is popular for random access • Use block cipher like stream cipher EncryptionDecryption C0 = P0 E(IV, K), P0 = C0 E(IV, K), C1 = P1 E(IV+1, K), P1 = C1 E(IV+1, K), C2 = P2 E(IV+2, K),… P2 = C2 E(IV+2, K),… • CBC can also be used for random access!!! Block Ciphers 13
Integrity Block Ciphers 14
Data Integrity • Integrity prevent (or at least detect) unauthorized modification of data • Example: Inter-bank fund transfers • Confidentiality is nice, but integrity is critical • Encryption provides confidentiality (prevents unauthorized disclosure) • Encryption alone does not assure integrity (recall one-time pad and attack on ECB) Block Ciphers 15
MAC • Message Authentication Code (MAC) • Used for data integrity • Integrity not the same as confidentiality • MAC is computed as CBC residue • Compute CBC encryption, but only save the final ciphertext block Block Ciphers 16
MAC Computation • MAC computation (assuming N blocks) C0 = E(IV P0, K), C1 = E(C0 P1, K), C2 = E(C1 P2, K),… CN1 = E(CN2 PN1, K) = MAC • MAC sent along with plaintext • Receiver does same computation and verifies that result agrees with MAC • Receiver must also know the key K Block Ciphers 17
Why does a MAC work? • Suppose Alice computes C0 = E(IVP0,K), C1 = E(C0P1,K), C2 = E(C1P2,K), C3 = E(C2P3,K) = MAC • Alice sends IV,P0,P1,P2,P3 and MAC to Bob • Trudy changes P1 to X • Bob computes C0 = E(IVP0,K), C1= E(C0X,K), C2= E(C1P2,K), C3= E(C2P3,K) = MAC MAC • Propagates into MAC (unlike CBC decryption) • Trudy can’t change MAC to MAC without K Block Ciphers 18
Confidentiality and Integrity • Encrypt with one key, MAC with another • Why not use the same key? • Send last encrypted block (MAC) twice? • Can’t add any security! • Use different keys to encrypt and compute MAC; it’s OK if keys are related • But still twice as much work as encryption alone • Confidentiality and integrity with one “encryption” is a research topic Block Ciphers 19
Uses for Symmetric Crypto • Confidentiality • Transmitting data over insecure channel • Secure storage on insecure media • Integrity (MAC) • Authentication protocols (later…) • Anything you can do with a hash function (upcoming chapter…) Block Ciphers 20
Feistel Cipher • Feistel cipher refers to a type of block cipher design, not a specific cipher • Split plaintext block into left and right halves: Plaintext = (L0,R0) • For each round i=1,2,...,n, compute Li= Ri1 Ri= Li1 F(Ri1,Ki) where F is round functionand Ki is subkey • Ciphertext = (Ln,Rn) Block Ciphers 21
Feistel Cipher • Decryption: Ciphertext = (Ln,Rn) • For each round i=n,n1,…,1, compute Ri1 = Li Li1 = Ri F(Ri1,Ki) where F is round functionand Ki is subkey • Plaintext = (L0,R0) • Formula “works” for any function F • But only secure for certain functions F Block Ciphers 22
Conclusions • Block ciphers widely used today • Fast in software, very flexible, etc. • Not hard to design strong block cipher • Tricky to make it fast and secure • Next: Hellman’s TMTO • Then: CMEA, Akelarre and FEAL Block Ciphers 23